----- Original Message -----
<snip>
> - make it possible to create Flatpaks quicker for some more
complicated
> apps
That just requires shipping the tools for third parties to use, not using
them to deliver software packaged by Fedora.
The tooling is koji and bohdi. Shipping them isn't enough, hosting them is
necessary as well.
> - developers not having to learn GPG to sign their releases
That is a very weak argument. It is very straightforward to set up an RPM
signing key, not any harder than writing a specfile. And then you just run
rpmsign --addsign to sign the RPMs.
And in the end, you are just saying that Flatpak does away with a critical
security feature. Relying exclusively on the sandboxing for security is a
very bad idea. Sandbox evasion exploits exist.
"developers not having to learn GPG to sign their *Flatpak* releases"
I really don't understand how you misinterpreted that sentence so badly,
individual Fedora developers never had to GPG sign their Fedora packages...
> - more efficient update tracking than RPM (eg. no need to
download 20 megs
> of metadata to know there's nothing to update)
But less efficient updating, because you will need to download much more
than 20 megs of bundled libraries.
You download deltas, so the downloading is unlikely to be any worse than
downloading packaged updates. It also means I can update individual apps
without guesswork.
The only reason the metadata is smaller
is because there is almost no dependency information encoded (only a single
dependency on a runtime). But those dependencies are what makes installing
and updating packages so efficient! Flatpak throws away the main competitive
advantage of GNU/Linux!
It's not efficient if I need to download 20 megs of data to see that I have
nothing to update. I really don't see why dependencies make installing and
updating packages "so efficient".
And it is actually possible to solve the metadata size issue, see the
work
on metadata deltas. (There was at least one talk at DevConf on this.)
Right. It's just not done yet.
I started replying from the bottom of the mail, but I stopped midway. The
number of unsubstantiated claims got the better of me.